RATS, Bots and reverse proxy phishing: why cyber criminals have shipping in their sights

Cyber risk is seen by many as a fact of life but for a long time, the shipping industry’s comparative isolation from threats was its greatest advantage. Small volumes of low bandwidth traffic meant shipping presented a moving target of comparatively low value.

The advent of high throughout, low latency LEO services alongside VSAT and 4/5G connectivity have brought shipping into the mainstream of digitalisation. The threat level has risen accordingly and so has the need for regulation that will go some way to managing the risk.

Such rules have so far been a patchwork approach but they are becoming increasingly joined up as statutory guidance, voluntary systems and industry standards are supplemented by European Union regulation that threatens punitive fines for non-compliance.

The rise of the regulators is timely, as the threats from cyber-criminals continue to increase, growing in volume and sophistication.

The latest global maritime cyber threat report produced by the Marlink Security Operations Centre (SOC) demonstrates the changing tactics of cyber criminals, who are increasingly attempting to bypass previously effective security controls using new tools.

Marlink’s unique maritime SOC actively monitored more than 1,800 vessels in the first half of 2024 and the data show that malicious activity in this period increased significantly compared to the previous year.

Analysts observed a continued rise in common threats such as Command and Control (C&C) attacks, along with the evolution of botnet attacks, which are growing in number and complexity.

Phishing continues to be the leading tactic used by attackers to gain access to corporate networks, though the SOC also detected an increase in blacklisted malicious traffic. This highlights the importance of maintaining up-to-date threat intelligence feeds and applying strict security policies to prevent unauthorised connections to high-risk sites.

Increased visibility into events from endpoint protection solutions (EDR), firewalls and e-mail security, along with the context provided by intelligence capabilities, has allowed SOC analysts to gain deeper insight into the evolving threat landscape.

Malicious actors are evolving their attack patterns and launching fraudulent campaigns that bypass previously effective security controls, such as two-factor authentication, forcing defenders to react and raise the security level to ensure operations are safeguarded.

During the first half of 2024, a significant portion of the threats neutralised by the SOC have continued to follow the most common attack vector seen since 2022: phishing. However, in this period, there has been a notable increase in a more advanced form known as ‘reverse proxy phishing’.

Phishing is a classic cyberattack method where attackers impersonate legitimate entities (like banks or service providers) to trick users into providing sensitive information, such as login credentials or financial data. Traditional phishing often relies on fake websites or fraudulent e-mails to capture user data.

‘Reverse proxy phishing’, on the other hand, is a more sophisticated version. Instead of simply creating a fake website, the attacker sets up a ‘proxy’ that sits between the legitimate website and the victim. This proxy captures the user’s credentials and, in real-time, forwards them to the actual site, making the victim feel like everything is normal. The danger of this method lies in the fact that it can bypass multi-factor authentication (MFA), which is commonly used to protect sensitive systems.

Reverse proxy phishing opens the door to serious cybersecurity threats such as C&C systems, Botnets, and Remote Access Trojans (RATs). Once attackers gain access to a network, they can deploy C&C infrastructure to remotely control compromised systems. This could enable the creation of botnets—large networks of infected devices used for malicious activities like Distributed Denial of Service (DDoS) attacks.

Data from the Marlink SOC suggest growing sophistication of cyber threats targeting vessel operations, pushing the boundaries of existing security measures and demanding a proactive approach from maritime companies.

For the maritime sector, these attacks can significantly impact operations, from the disruption of shipping logistics to the manipulation of sensitive communication systems. Delays, loss of reputation, and costly recoveries are just a few of the possible outcomes.

In response, the Marlink SOC is seeking to enhance its monitoring capabilities with greater use of real-time threat detection, AI-driven behavioural analysis, threat intelligence and stronger MFA solutions.

The evolution of the threat landscape in the first six months of 2024 has continued to surprise. It is clear that even vessel operators who have previously acted against cyber threats must consider this a continuous process. Focussing on the combination of people, procedures and precautions, these companies can better protect themselves and their stakeholders, ensuring safer and more resilient operations.